Posted
by
timothy
on Thursday August 27, 2009 @06:40PM
from the please-avoid-mine dept.

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

That was the first thing that popped in to my head when I saw the article. Hacking brand new malware to see how it works and what it does is fascinating to me. Of course, when the Secret Service says "no touch", they really really mean it.

Actually, I know the guys at the company who ran this test. They are definitely a Linux shop. MSI is a do-anything security company that will dig through your trash to test your shredder discipline, send phishing messages to your company to test your employee information security training, and try and sneak into your datacenter to test your security guards, as well as the normal vulnerability scanning type stuff.

The outrage over this is pretty funny, because the company behind it was under contract from the

What? A story with a CEO turning out not to do the dumbest thing in history?? Unpossible!

Are they by any chance... hiring?

..

If I were the attacker, I'd do it again. This time properly with no errors at all. And with a special warning included, that fake mailings are in circulation, and with a big official seal of trustworthiness, etc. Something that C?Os love. The whole package of "*drool* want". With no fingerprints, genetic material, etc, but real pressed CDs, with professional labels. I'd let the real NC

The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously.

Granted, it should be taken seriously since it is a crime after all. However, I didn't know the SS had the time to deal with crimes like this that are not against the POTUS. Did you contact them or did they get contacted indirectly? Just wondering how and why they entered the picture as opposed to the FBI (for interstate crimes). I believe I recall hearing that the SS gets involved with counterfeit operations but never heard them getting involved with malware issues.

Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.

actually they started as a money protection force and only got the presidential gig later.Any time you start dealing with a large about of iffy money then the Secret Service will show up(and i think its in the regs for law enforcement that if they see more than X dollars at stake they summon the SS)

Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.

Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.

Yea, I think more people would bank at credit unions if they knew about them. I'd never heard of a credit union myself until I went to college (in Urbana-Champaign, IL of all places). Actually, I thought that "credit union" was just the name of a popular banking chain in the Midwest, like Wells Fargo or Bank of America or something. It wasn't until my roommate explained to me what a credit unit was that I actually learned what they were.

Frankly, I'm kinda surprised that the Midwest has so many power co-ops

I live in the IE (Inland Empire). And upon further research, it appears that you're right. There is actually a Wescom very close to where I live and a few others in neighboring cities, but I'd never heard of these places. Everyone I know banks at a commercial banking chain. Do you bank at a CU in SoCal? If so, what's your experience with ATMs? http://www.cufriendly.net/ [cufriendly.net] doesn't show any CU-friendly ATM machines in my area. Are those fee-free CU ATMs pretty rare?

Part of the problem may be the fact that Credit Unions were originally tied to group of people (Teacher's union, large employer, etc.) but back in the 90's (I think) they were deregulated and allowed to open up membership to anyone. Some, like the Teacher's CU I belonged to, back in Fla., became almost as bad as a bank, service wise and fee wise. They were advertising like crazy on tv and building branches and all this stuff required more income for the CU. Sure, they're non-profit but in this case, were ac

Many credit unions spend a bundle on advertising, including in public schools, and charge numerous fees much like for-profit banks do.

I wouldn't say "many" but there are a few that behave in this manner. Our local large credit union [visionsfcu.org] behaves like this. They charge you a fee each time you swipe your debit card and use the pin instead of signing for it. They charge a fee for their billpayer service. They charge you a fee for exceeding a certain number of teller transactions per month. They have a huge advertising budget. TV Commercials, billboards, promotions with local businesses, etc, etc.

We're members of three credit unions, having kept open our accounts from college in another state, then added a joint account here in Austin at one credit union and recently, when we refinanced our home then I bought a car, at another.

The best thing in Austin is that all the credit unions are members of a shared network, so all credit union ATMs from any credit union in town are free to all credit union members. It makes their ATM network rival the size of any major bank, at least while in the local area.

It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive...

They are a "debt institution" because they loan money at interest (usury). Their non-profit status is not relevant.

To argue that they have "no profit incentive" is highly misleading. Like most nonprofits and charities most credit unions have EXTREMELY well-compensated executives whose compensation is based on how much money the credit union makes. So the employees (not the members per se) have a profit incentive. I'd also point out that in most nonprofits executive nepotism is rampant (it's not uncommon for

The GP is just one of many "Banks are evil!" types online. You aren't going to convince them otherwise. They have little understanding of finance and less of banking. Also the reason he's whining is because the USSS was involved. He also doesn't understand that they are responsible for this kind of crime, he thinks the president ordered them on the case because banks are special.

I've debated with the "Use only cash, banks are evil, we need the gold standard!" types and there is just no reasoning with them.

I wouldn't mind seeing a return to something similar to the gold standard but it's not because I think banks are "evil" It's because I don't like the fact that the Fed can effectively confiscate the savings that I've worked so hard to acclimate through inflation.

I've worked with the USSS three times in my professional career. Twice were for financial crimes. Once when somebody hacked our e-commerce server when I was in the ISP business and the other time for this. The other occasion I had to work with

That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back.

Dude, put the bong down and back away slowly;) Or at least share it with the rest of us.

I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits

I took Mr. Buffets advice to heart (buy when everyone else is selling, sell when everyone else is buying) and started buying stocks as the markets tanked. So far I'm up ~41% overall. Only one of my picks (TIE [google.com] if you are wondering and I'm only down 6% on it) is in the red. Made my first buys in November of 08. My annual yield works out to ~64% Have your gold investments matched or beaten this performance?

I got really interested in the stock market was heading down for record lows. Did a little research and some rabid buying:D I made a lot of mistakes in hindsight, yet I'm still up 52% now, but I expect most of my profits to realize over the next year. The commodities market is a different beast altogether. In this respect you'll find that the reality is that a lot of a companies' value is derived from it's ability to invest in hard goods.

murp! sorry, my "play" account is up 5.2%. I stand on the assertion that most of my profits will realize off in the not too distant future. That said, with real money I've seen 500% profits in as little as three months with commodities. I don't see anything wrong with someone investing a specified amount of money in gold each month.

One of my best performing stocks is a commodity stock. I bought FCX [google.com] at $23 and change. It's now at $64. There was no reason other than unfounded panic for it to be priced as low as it was. Worked out well for me though.

I don't see anything wrong with investing in gold either. I just don't think you'll be able to match the ROI that you can see with good stock picks.

Mr. Buffet also said by Euros when the dollar was being and still is being devalued to pay debt. He is just about always right. I knew the late 90's bubble when I said buy some 5 year CD's. Everyone said I was crazy too. No stocks are better, etc. At 120 times earnings without any potential I don't think so. 2.75% for CD's? Hell, WWII war bonds paid 3% which was considered incredibly low even at that time. It's probably about time to sell again though except for stocks that we'll, deal in commodities. Just

If you think interest is unethical, you shouldn't be willing to use government backed currency, as governments often create or destroy money without doing anything to tie that activity to anything real.

(Interest works because the debtor is exchanging future consumption for present day consumption, presumably to their own advantage)

I agree with the general sentiment; but I think the story a few days back about the FBI picking up that quant accused of stealing code(or heck, our exciting bailouts and pretty much anything the federal reserve does) was a better example.

"1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."

"2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "

Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.

In fact the only reason that they do protect the president is back when the issue came up, they were it for federal law enforcement. When congress wanted protection for the president (when McKinley was assassinated) they were pretty much the only choice. There was no FBI, the US Marshals didn't have the man power, and the US Postal Inspectors were just for the post office.

Perhaps they should have created a specific police force for presidential protection, but they didn't.

--The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.--

I know that, but why again would this not be a high or even higher priority? The financial transactions have to work. Most money is just a stored number on a computer, without any physical currency. It's really a worse threat than counterfeiting. The local polic

Barclays Bank in the UK got bad news coverage a few years ago for refusing to lend a pen to a customer. To counteract this bad coverage, they got rid of all the pens-on-a-chain and now have disposable ballpen dispensers throughout their branches. You can just walk in off the street and help yourself to a pen, no questions asked. I must have a dozen by now. They have amusing mottos down the side such as "Steal me" or "Bank swag".

The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference [microsoft.com] for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.

How right you are. For their needs maybe they couldn't tell the difference if you used another OS and applications on Linux. Just rename them. Like call firefox IE and so on. If you were real clever you could probably move the Icons too. I know I did this FireFox on Windows a few years back to stop spyware and it worked for a couple of years. Now they just go out on the net and run programs without permission. I can't just shut it all down either, the higher ups get mad at you for this as they are the worst

While we're making it simple, why don't we just open up all the keyboards on site and solder the shift key connectors permanently closed? No autorun all the time and anyone who doesn't know about holding down the shift key won't have to learn. It's a perfect solution.

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

or dismissed.

For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.

The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather diffic

Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not.;)

A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.

I once played around with that, 10, 12 years ago, writing emails using telnet -- ostentatiously with an address billgates@microsoft.de (or some such shenanigans). Apparently I did something wrong, because a couple of days later I got a stern but friendly mail from a Microsoft admin. I probably sent it to myself, misspelled my own address and it got bounced back to them.

Microsoft will send you direct links to download hotfixes when you request them from their website. Not quite the same as an attachment and you have to request it first but it would be the same result if you got such an email while you were expecting a reply from Microsoft which can sometimes take a few days.

I created a spam account on our domain where users can forward their spam if they are getting it on a regular basis. That way I can extend my filters and content blockers. Keeps the spam pretty low for

At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

Happens more often that you'd realize. China is very, very good at hacking and spying. They also happen to manufacture a significant portion of the IT components that we all buy and consider trustworthy. I've convinced that if we ever piss of China, they can send out some magic icmp packet that will start bricking every Cisco switch in the US.

Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

Truly, there's a sucker born every minute. Most of them seem to wind up working in business, and most of them have the technological competence of a retarded toaster. With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.

Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.

This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive

It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service

Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.

No capitals, no exclamation mark, just a quiet little whoosh. Just about the volume of a tired gnat flying past a dog's ass. Had you bothered to read ANYTHING before you commented, then you might warrant a real whoosh.

Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring.;)

I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

Interesting... I just noticed, that when you would exchange the quote and the answer of your comment, GP would still be right. I've never seen that before, but it's certainly cool. I'm going to try to reproduce that... ^^

The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

You know there's a whole school of philosophy dedicated to the common usage vs. defined meaning problem. As for which one is right.. Inconclusive.

... and you needed to quote my whole post to state that? Actually, you again have those with a clue against those without a clue who refuse to admit it. If it is common usage, but not part of defined meaning, we have an actual defined meaning for that ! It's called slang.

I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds.

Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute." And unless you are a fruit-fly or suffer from ADD, an hour hardly ever qualifies as "a long time."

Dude, you're a moron. You are the one claiming you know all of the teenagers on the planet. ZK is saying some of the teenagers (many?) say this. You are claiming that NONE of them do. Only one of you is claiming to know all of the teenagers on the planet.

Do you really believe that Zero_Kelvin knows "millions of teenagers?" For all practical purposes he is claiming the exact same thing I am, except I'm applying common sense and he's just making shit up to support his own little pet peeve.

Haha, I hear you. As for myself, people who call a tisane simply "tea" or "herbal tea" get on my nerves. If it's not made with the "tea" plant, it's not "tea" damnit!!!! But most grammar softwares don't even know the correct word anyway...

"Oh - wait. Maybe I'm deluding myself. Slashdot. I actually read arguments here that Windows is better than Linux for no better reason than an author is afraid of the CLI. Let me shut up and slink out of here - I've done nothing but embarrass myself by talking to the wrong audience."

Maybe you also missed the part of my post about the 1200 morons? It should have conveyed to you I was well aware that there is a faction of the audience that is as ignorant as you describe. There are, however, quite a few pe

Wait, they fake where the CD's were coming from? Wouldn't that constitute as Mail Fraud? And isn't that a Federal offense? Hmmm, it reminds me of the movie "the Firm". Sending a CD with Malware may not be illegal, but faking the source might be. I'm not sure of the law here, but I would think this would draw greater attention to federal authorities.

or not...

You act like impersonating a federal agency isn't a crime in and of itself.